Bug 34102 - libarchive new security issues CVE-2025-1632 and CVE-2025-25724
Summary: libarchive new security issues CVE-2025-1632 and CVE-2025-25724
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-03-14 14:32 CET by Nicolas Salguero
Modified: 2025-03-17 17:34 CET (History)
2 users (show)

See Also:
Source RPM: libarchive-3.6.2-5.3.mga9.src.rpm
CVE: CVE-2025-25724
Status comment:


Attachments

Description Nicolas Salguero 2025-03-14 14:32:55 CET
openSUSE has issued an advisory on March 13:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2VPBSF65DTMKEEGFEJY6QEGJSZY7TSKV/
Comment 1 Nicolas Salguero 2025-03-14 14:33:57 CET
It seems that CVE-2025-1632 only affects Cauldron.

CVE: (none) => CVE-2025-25724
Source RPM: (none) => libarchive-3.7.7-2.mga10.src.rpm, libarchive-3.6.2-5.3.mga9.src.rpm
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2025-03-14 14:39:42 CET

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2025-03-14 15:05:36 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale. (CVE-2025-25724)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2VPBSF65DTMKEEGFEJY6QEGJSZY7TSKV/
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.6.2-5.4.mga9
bsdcpio-3.6.2-5.4.mga9
bsdtar-3.6.2-5.4.mga9
lib(64)archive13-3.6.2-5.4.mga9
lib(64)archive-devel-3.6.2-5.4.mga9

from SRPM:
libarchive-3.6.2-5.4.mga9.src.rpm

Source RPM: libarchive-3.7.7-2.mga10.src.rpm, libarchive-3.6.2-5.3.mga9.src.rpm => libarchive-3.6.2-5.3.mga9.src.rpm
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-03-14 19:03:50 CET

Keywords: (none) => advisory

Comment 3 katnatek 2025-03-15 02:42:40 CET
RH x86_64

installing bsdtar-3.6.2-5.4.mga9.x86_64.rpm lib64archive13-3.6.2-5.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64archive13        ##################################################################################################
      2/2: bsdtar                ##################################################################################################
      1/2: removing bsdtar-3.6.2-5.3.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64archive13-3.6.2-5.3.mga9.x86_64
                                 ##################################################################################################

Go to my Image folder

bsdtar -c -f ~/archtar *

examined archtar with ark, all files and folders checked OK

strace ark
Not shows "/lib64/libarchive.so.13" this time ????? but works, 
extract ~/archtar without issues

strace bsdtar -c -f ~/archtar * , shows
openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3

strace vlc shows
openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 4

play video with vlc PK

LC_ALL=C urpmi bsdcpio


installing bsdcpio-3.6.2-5.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: bsdcpio               ##################################################################################################

rpm2cpio ~/rpmfile.rpm|bsdcpio -idmv

extract with success the content of the rpm

Looks good to me
Comment 4 Thomas Andrews 2025-03-16 23:49:34 CET
Me, too. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

Comment 5 Mageia Robot 2025-03-17 17:34:29 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0102.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.